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SECRET 


i6 June 1980 


MEMORANDUM FOR: eet 
nief, Manéaement Staff 


Office of Cata Processing 


‘eputy Director for Applications 


Office of Tata Processing 


SUBJECT: Draft Cecurity Requirements for Automated 
Informatior Systems Lecated in Overseas 
Installaticns (U) 


Li Applications personnel have reviewed the draft 
requirements submitted by the Information Systems Security 
Group, Office of Security. Since we recognize the 
importance of writing policy in this area we recommend that 
the following comments be incernoratec in the next revision. 


(U) 


2. The purpose of automating fielc stations is to 
make them more efficient and to reduce the vulnerability of 
information, especially if a station is overrun. Although 
the draft specifies that removahle data storaqe media shall 
be used (IV.P.l.c), the draft does not acdress how data 
should be stored on the media. Considering the possibility 
of large information banks in the field, stronger guidelines 
are needed as to what and how much data should be kept in 
the field and under what conditions. (S) 


For instance, should the data storeé€ on field media be 
encrypted? (S&S) 


If a cassette or a floppy disk were compromised, the 
problem of damage assessment is not addressed. Since there 
is no requirement for maintaining volume data set catalogs, 
the Agency would not know what data was lost. (Ss) 


Be The requirement in IV.D.2.4 for system software to 
handle all interrupts in a known and secure manner implies 
that only provably secure operating systems would be 
allowed. Such operating systems are being developed but are 
not available now. The draft does not address system 
software certification or waiver procedures. (U) 
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CECPET 


4, In paragraph IV.D.5.a8.2 the draft specifies the 
"fonly those terminals desianated for the security 
classification access level being processed shall be 
logically connected...''. The craft could easily specify 
that terminals not so desiqnateé be electrically 
disconnected by means of a patch panel or other similar 
arrangement. The specification of ''logically'' implies 
that the system software would control] access and this is an 
unneccessary spillage risk. (£) 


5s The requirement for cach data file to he 

controlled by a file password and indicators to describe to 
the system the type of access authorized (IV.P.5.b.1) is 
unrealistic for the class of mechine planned for the field. 
Since each dataset must reside on removable media and each 
storage disk, tape, etc., is te be marked, why not specify 
that only those media marked at the appropriate level be 
installed on the system? (S) 


6. In the following pereoraph (IV.N.5.6.2), access to 
the master data file is limitec to the ADP System Security 
Officer. This is short sioghtec and not practical. First, 
there should always be a backup for this function. And, 
second, there is a need in some installations for backup of 
datasets that requires automatic linkage to the master data 
File. The password file shoulé be protected by encryption 
such that a system dump or system spillage will not 
compromise this file. (S) 


Ts It is puzzling why the password procedures 
(IV.D.5.c) do not apply to stand-alone word processing 
terminals since this class of terminals can read and write 
the same data sets as other ADE systems, and up to the same 
classification levels. (U) 


a. The section on Data Frocessing (V.P.) regarding 
abnormal data processing syster operation is not practical. 
A runaway tape or a disk head crash should not cause the 
system to be stopped. This section should be rewritten to 
be more specific and should corcentrate on events that have 
security implications. For instance, a reported spillage to 
a terminal or printer should be investigated and would be a 
valid reason to stop the syster. (S) 


a, The section on System Maintenance/Modification may 
not recognize that the Agency coes and will probably 
continue to use contractor fersonnel for on-site maintenance 
and field modification of equipment. (U) 
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10. The certification of the ISSO on system software 
modifications in section VII.B.b requires technically expert 
people to be meaningful. Since these experts are in short 
supply, even in ADP components, this requirement could be a 
bottleneck in software updates. (U) 


ll. The key to emergency procedures, as mentioned 
before, is in limiting the amount of data stored in the 
field, not in trying to sanitize or destroy it during an 
emergency. The draft does not specify that the procedures 
be exercised so that they are ~roven and field personnel are 
fully familiar with them. & pessible oversight is that 
there is no requirement that the ADP Systems Security 
Officer be responsible for havina APP personnel read the 
procedures, (U) 


12. Equipment procurement sterility is not addressed 


in the draft. Will there be any policy or guidelines 
readarding equipment that is Aqency unique? (§) 
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